← Lessons

quiz vs the machine

Gold1450

Networking

CORS Preflight Requests

How the browser checks permission before sending a risky cross origin call.

5 min read · core · beat Gold to climb

Relaxing the boundary

CORS, Cross Origin Resource Sharing, lets a server opt in to being read by other origins. The browser enforces it. For certain requests the browser first asks the server for permission with a preflight request before sending the real one.

When a preflight fires

A request is simple and skips preflight only if it uses GET, POST, or HEAD with safe headers and a basic content type. Anything else, such as a PUT, a custom header, or a json content type, triggers a preflight using the OPTIONS method.

The handshake headers

  • The browser sends Access Control Request Method and Access Control Request Headers.
  • The server replies with Access Control Allow Origin, Allow Methods, and Allow Headers.
  • Access Control Max Age lets the browser cache the approval so repeat calls skip preflight.
  • Sending credentials requires Allow Credentials true and a specific origin, never a wildcard.

A missing allow header on the final response also fails, even after a successful preflight.

Key idea

CORS preflight uses an OPTIONS request to ask the server whether a non simple cross origin call is allowed before the real request is sent.

Check yourself

Answer to earn rating on the learn ladder.

1. Which method does a CORS preflight use?

2. When can a cross origin request skip the preflight?

3. What does Access Control Max Age control?